Are Mainframes Really More Secure?

Some two decades ago, I wrote a column in the Fall 1993 edition of the long-since departed magazine, Securities Industry Management, with the title “Two Cheers for Mainframes—The future may lie in distributed technology, but don’t junk your old iron just yet.” I made statements in the column such as: “If your existing system works well and there is no compelling reason to change, it probably pays to stay with what you have.” Who would have expected back then that mainframes would still be thriving some twenty years later?

And they are indeed thriving. In an article “I.B.M. Mainframe Evolves to Serve the Digital World” in The New York Times of August 28, 2012, Steve Lohr wrote that IBM has introduced a new model of mainframe, the zEnterprise EC12, to strengthen “the traditional mainframe’s skill of reliability and securely handling vast volumes of transactions,” and which, it is claimed, is “still the digital workhorse for banking and telecommunications networks.” Having spent a career in IT in the financial services industry, I can vouch for the continued use of mainframe systems well beyond their expected life. The Y2K remediation effort demonstrated that software systems, which were often 20-30 years old at that time, were not scheduled to be replaced in the foreseeable future. Hence there was a need for large firms to correct typically up to tens of millions of lines of code, frequently written in COBOL, at huge expense.

The NYT article quotes Mr. Momar Fall in Senegal as claiming that performance, security and reliability are the main reason for choosing mainframes, as well as 24/7 remote support from IBM. In the same newspaper, IBM took out a full page ad about their new mainframe computer, with sections headed:

Taking data security to the highest level

Turning data into one version of the truth, and

Creating efficiency with the Cloud

It is interesting to note that IBM put security first in its list of mainframe benefits, stating that the “zEnterprise is designed to meet the stringent Common Criteria (CC) EAL5+ security classification.” If you look down to the footnote attached to this statement, you are referred to www.atsec.com , which is the website for a security certification company, @Sec. Their list of CC certifications is at http://www.atsec.com/us/common-criteria-certificates.html IBM is well represented in that list, with many class 5 certifications and a couple at 5+, including for RACF for z/OS, Version IR12. However, it is noted in http://en.wikipedia.org/wiki/Common_Criteria that: “If a product is Common Criteria certified, it does not necessarily mean it is completely secure.” One of the criticisms of the CC approach is that “Evaluation focuses primarily on assessing the evaluation documentation, not on the actual security, technical correctness or merits of the product itself. For U.S. evaluations, only at EAL5 and higher do experts from the National Security Agency participate in the analysis; and only at EAL7 is full source code analysis required.” There are other frequent CC criticisms relating to cost and timeliness.